boomerang exploiting the semantic gap in trusted
play

Boomerang: Exploiting the Semantic Gap in Trusted Execution - PowerPoint PPT Presentation

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna Sandia


  1. Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000. SANDNO. 2017-XXXXP

  2. Trusted Execution Environment (TEE) ● Hardware-isolated execution environments (e.g., ARM TrustZone) ○ Non-secure world ■ Untrusted OS and untrusted applications (UAs) (e.g., Android and apps) ○ Secure world ■ Higher privilege, can access everything ■ Trusted OS and trusted applications (TAs).

  3. ARM TrustZone NS Bit ● 0 - Secure or Trusted ● 1 - Non-secure or Non-trusted or Untrusted Picture reused from arm.com

  4. Untrusted OS ↔ Trusted OS ● Untrusted applications (UAs) request trusted applications (TAs) to perform privileged tasks. ● TAs should verify the request and perform it only if the request is valid. ○ Example: Sign the contents of a memory region ■ TA should check if the requested memory region belongs to untrusted OS before computing the signature of it.

  5. Untrusted OS ↔ Trusted OS Non-Secure World Secure World Untrusted Trusted Application (UA) Application (TA) Userspace Supervisor Trusted OS Untrusted OS

  6. Untrusted OS ↔ Trusted OS Non-Secure World Secure World Untrusted Trusted ? Application (UA) Application (TA) Userspace Supervisor Trusted OS Untrusted OS

  7. Untrusted OS ↔ Trusted OS Non-Secure World Secure World Untrusted Trusted Application (UA) Application (TA) Library Userspace Supervisor Driver Interface (ioctl) Trusted OS Untrusted OS

  8. Untrusted OS ↔ Trusted OS Non-Secure World Secure World Untrusted Trusted Application (UA) Application (TA) Library Userspace Supervisor SMC Driver Interface (ioctl) Interface Trusted OS TEE Untrusted OS

  9. Untrusted OS ↔ Trusted OS Non-Secure World Secure World Untrusted Trusted Application (UA) Application (TA) Library Userspace Supervisor Driver Interface (ioctl) Interface Trusted OS TEE Untrusted OS

  10. Untrusted OS ↔ Trusted OS Non-Secure World Secure World Untrusted Trusted Application (UA) Application (TA) Library Userspace Supervisor Driver Interface (ioctl) Interface Trusted OS TEE Untrusted OS

  11. Communication with TA ● Requests to TA can contain pointers. struct keymaster_sign_data_cmd { uint32_t data_ptr; // Pointer to the data to sign size_t dlen; // length of the data to sign }; Structure of a sign request to KeyMaster TA.

  12. Pointer translation and sanitization in untrusted OS ● Memory model could be different in untrusted and trusted OSes. ● One should use physical address for all pointer values between trusted and untrusted OSes.

  13. Pointer translation and sanitization in untrusted OS ● Sanitization: Untrusted OS should check that the UA has access to the pointer provided in the request. ● Translation: Convert the virtual address to physical address. ● We call this functionality in untrusted OS as PTRSAN .

  14. Example PTRSAN int ptr_san(void *data, size_t len, phy_t *target_phy_addr) { Sanitization if(! access_ok(VERIFY_WRITE, data, len) ) { return -EINVAL; } Translation * target_phy_addr = get_physical_address(data) ; return 0; }

  15. PTRSAN Non-Secure World Secure World Trusted Application (TA) Untrusted Application (UA) P P P P P P T T T T T T R R R R R R Userspace Supervisor PTRSAN P P P P P P T T T T T T R R R R R R Trusted OS Untrusted OS Unknown VA PA

  16. Handling untrusted pointers in trusted OS ● Check if the physical address indicated by the pointer belongs to the non-secure memory. ○ Protect trusted OS against untrusted OS ● Trusted OS (or TA) has no information about the UA which raised the request.

  17. Handling untrusted pointers in trusted OS ● Check if the physical address indicated by the pointer belongs to the non-secure memory. ○ Protect trusted OS against untrusted OS Semantic Gap ● Trusted OS (or TA) has no information about the UA which raised the request.

  18. Bypassing Sanitization Non-Secure World Secure World Trusted Application (TA) Untrusted Application (UA) P P P P P P T T T T T T R R R R R R Userspace Supervisor PTRSAN P P P P P P T T T T T T R R R R R R Trusted OS Untrusted OS Unknown VA PA

  19. Bypassing Sanitization Non-Secure World Secure World Trusted Application (TA) Untrusted Application (UA) P P P P P P P P T T T T T T T T R R R R R R R R Userspace Supervisor PTRSAN P P P P P P T T T T T T R R R R R R Trusted OS Untrusted OS Malicious Unknown VA PA

  20. Boomerang flaw Non-Secure World Secure World Trusted Application (TA) Untrusted Application (UA) P P P P P P P P T T T T T T T T R R R R R R R R Userspace Supervisor PTRSAN P P P P P P T T T T T T R R R R R R Trusted OS Untrusted OS Malicious Unknown VA PA

  21. Boomerang flaw ● Real world PTRSAN implementations are complex. ● Can we bypass the validation and make PTRSAN translate arbitrary physical address?

  22. YES!! ● We can bypass PTRSAN in all of the popular TEE implementations. TEE Name Vendor Impact Bug Details TrustedCore Huawei Arbitrary write CVE-2016-8762 QSEE Qualcomm Arbitrary write CVE-2016-5349 Trustonic As used by Samsung Arbitrary write PZ-962* No response from Sierra TEE Sierraware Arbitrary write vendor Write to other OP-TEE Linaro Github issues 13, 14 application’s memory *concurrently found by Google Project Zero (laginimaineb)

  23. How to exploit Boomerang flaws?

  24. Automatic detection of vulnerable TAs ● Goal: Find TAs which accepts pointers ● Static analysis of the TA binary: ○ Recover CFG of the TA ○ Paths from the entry point to potential sinks ○ Output the trace of Basic Block addresses

  25. Results TEE Name Number of TAs Vulnerable TAs QSEE 3 3 TrustedCore 10 6 Arbitrary kernel memory read on Qualcomm phones. ✓ Kernel code execution on Huawei P8 and P9. ✓ Demonstrated at GeekPwn. ✓ Geekpwn Grand Prize ($$$) ✓

  26. Impact ● Compromising untrusted OS == Rooting your device. ● Hundreds of millions of devices on the market today. ● Fixes yet to be released. ● Your device may be vulnerable!!!

  27. Expectation + =

  28. Reality + =

  29. How to prevent Boomerang attacks?

  30. Just fix PTRSAN? NO!! This requires to understand the semantics of current and future TAs. ● Structure of the TA request? ● Which fields within the structure are pointers?

  31. Root Cause ● Semantic Gap : Inability of the TA (or TEE) to verify whether the requested UA has access to the requested memory ● Should have a mechanism for the TA (or TEE) to verify or bridge the semantic gap.

  32. Existing Defenses ● Page Table Introspection ● Dedicated Shared Memory Region (DSMR)

  33. Page Table Introspection ● Implemented in NVIDIA Trusted Little Kernel. ● Untrusted OS sends an id (e.g., pid) of the requested app (UA) along with every request. ● TA or TEE verify the access of all untrusted pointers by referring to the requested app page table .

  34. Page Table Introspection Pros: ● Easy to implement. Cons: ● Trusted OS depends on Untrusted OS ● Increases attack surface ● Page table walking could be dangerous

  35. Dedicated Shared Memory Region (DSMR) ● Implemented in Open Platform -Trusted Execution Environment (OP-TEE). ● Dedicated memory region for communication between trusted and untrusted OS. ● UA should request access to the shared memory. ● TA or TEE verify that all untrusted pointers are within the dedicated memory region.

  36. Dedicated Shared Memory Region (DSMR) Pros: ● Simple ● Independence from Untrusted OS Cons: ● UA can interfere with other UAs via TAs (Partial Boomerang) ● Additional copying to/from shared memory ● Allocation of shared memory could become bottleneck in case of multithreaded applications. ● Some applications (integrity monitoring) are hard to implemented using DSMR.

  37. Cooperative Semantic Reconstruction (CSR) ● Novel defense proposed by us. ● Provides a channel for Trusted OS to query Untrusted OS for validation.

  38. Cooperative Semantic Reconstruction (CSR) Normal flow

  39. Cooperative Semantic Reconstruction (CSR) Normal flow

  40. Cooperative Semantic Reconstruction (CSR) Normal flow

  41. Cooperative Semantic Reconstruction (CSR) Verification flow Normal flow

  42. Cooperative Semantic Reconstruction (CSR) Verification flow Normal flow

  43. Cooperative Semantic Reconstruction (CSR) Verification flow Normal flow

  44. Cooperative Semantic Reconstruction (CSR) Verification flow Normal flow

  45. Cooperative Semantic Reconstruction (CSR) Verification flow Normal flow

  46. Implementation ● Open Platform-Trusted Execution Environment (OP-TEE) ● Easy to use ● Helpful community ● Has DSMR already implemented ● HiKey Development board (Lemaker Version)

Recommend


More recommend